From f1cb4d579cf5617d2a0ee488b4ea44e679ca9e82 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Thu, 26 Jun 2025 12:24:43 +1000 Subject: [PATCH] Regression testing Fixes to get WOLFSSL_PUBLIC_MP testing passing. Fix DH constant time agreement: - implement constant time encoding to big-endian byte array in TFM - only force x to be zero for SP math as others implementations ensure unused words are zero - exponentiate in constant time to the smallest number of words possible - no need to encode into separate buffer anymore as encoding is constant time and front padded - make requested_sz be the maximum size for the parameters and check against agreeSz - update agreeSz to be the maximum valid size instead of filling all the buffer which may be many times too big - fix SP result to front pad when doing constant time --- wolfcrypt/src/dh.c | 198 +++++++++++++---------------------- wolfcrypt/src/sp_int.c | 4 +- wolfcrypt/src/tfm.c | 57 ++++++++++ wolfcrypt/test/test.c | 103 ++++++++++-------- wolfssl/wolfcrypt/settings.h | 4 +- wolfssl/wolfcrypt/tfm.h | 3 +- 6 files changed, 195 insertions(+), 174 deletions(-) diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index f7b3c2732..40d320599 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -2058,80 +2058,19 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz, #endif #ifdef WOLFSSL_HAVE_SP_DH + if (0 #ifndef WOLFSSL_SP_NO_2048 - if (mp_count_bits(&key->p) == 2048) { - if (mp_init(y) != MP_OKAY) - ret = MP_INIT_E; - - if (ret == 0) { - SAVE_VECTOR_REGISTERS(ret = _svr_ret;); - - if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY) - ret = MP_READ_E; - - if (ret == 0) - ret = sp_DhExp_2048(y, priv, privSz, &key->p, agree, agreeSz); - - mp_clear(y); - - RESTORE_VECTOR_REGISTERS(); - } - - /* make sure agree is > 1 (SP800-56A, 5.7.1.1) */ - if ((ret == 0) && - ((*agreeSz == 0) || ((*agreeSz == 1) && (agree[0] == 1)))) - { - ret = MP_VAL; - } - - #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC) - #if !defined(WOLFSSL_SP_MATH) - XFREE(z, key->heap, DYNAMIC_TYPE_DH); - XFREE(x, key->heap, DYNAMIC_TYPE_DH); - #endif - XFREE(y, key->heap, DYNAMIC_TYPE_DH); - #endif - return ret; - } + || mp_count_bits(&key->p) == 2048 #endif #ifndef WOLFSSL_SP_NO_3072 - if (mp_count_bits(&key->p) == 3072) { - if (mp_init(y) != MP_OKAY) - ret = MP_INIT_E; - - if (ret == 0) { - SAVE_VECTOR_REGISTERS(ret = _svr_ret;); - - if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY) - ret = MP_READ_E; - - if (ret == 0) - ret = sp_DhExp_3072(y, priv, privSz, &key->p, agree, agreeSz); - - mp_clear(y); - - RESTORE_VECTOR_REGISTERS(); - } - - /* make sure agree is > 1 (SP800-56A, 5.7.1.1) */ - if ((ret == 0) && - ((*agreeSz == 0) || ((*agreeSz == 1) && (agree[0] == 1)))) - { - ret = MP_VAL; - } - - #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC) - #if !defined(WOLFSSL_SP_MATH) - XFREE(z, key->heap, DYNAMIC_TYPE_DH); - XFREE(x, key->heap, DYNAMIC_TYPE_DH); - #endif - XFREE(y, key->heap, DYNAMIC_TYPE_DH); - #endif - return ret; - } + || mp_count_bits(&key->p) == 3072 #endif #ifdef WOLFSSL_SP_4096 - if (mp_count_bits(&key->p) == 4096) { + || mp_count_bits(&key->p) == 4096 +#endif + ) { + int i = (int)*agreeSz - 1; + if (mp_init(y) != MP_OKAY) ret = MP_INIT_E; @@ -2141,8 +2080,26 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz, if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY) ret = MP_READ_E; - if (ret == 0) - ret = sp_DhExp_4096(y, priv, privSz, &key->p, agree, agreeSz); + if (ret == 0) { + #ifndef WOLFSSL_SP_NO_2048 + if (mp_count_bits(&key->p) == 2048) { + ret = sp_DhExp_2048(y, priv, privSz, &key->p, agree, + agreeSz); + } + #endif + #ifndef WOLFSSL_SP_NO_3072 + if (mp_count_bits(&key->p) == 3072) { + ret = sp_DhExp_3072(y, priv, privSz, &key->p, agree, + agreeSz); + } + #endif + #ifdef WOLFSSL_SP_4096 + if (mp_count_bits(&key->p) == 4096) { + ret = sp_DhExp_4096(y, priv, privSz, &key->p, agree, + agreeSz); + } + #endif + } mp_clear(y); @@ -2156,6 +2113,18 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz, ret = MP_VAL; } + if ((ret == 0) && ct) { + word16 mask = 0xff; + sword16 o = (sword16)(*agreeSz - 1); + + *agreeSz = (word32)(i + 1); + for (; i >= 0 ; i--) { + agree[i] = agree[o] & (byte)mask; + mask = ctMask16LT(0, (int)o); + o = (sword16)(o + (sword16)mask); + } + } + #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC) #if !defined(WOLFSSL_SP_MATH) XFREE(z, key->heap, DYNAMIC_TYPE_DH); @@ -2166,16 +2135,8 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz, return ret; } #endif -#endif #if !defined(WOLFSSL_SP_MATH) - if (ct) { - /* for the constant-time variant, we will probably use more bits in x for - * the modexp than we read from the private key, and those extra bits need - * to be zeroed. - */ - XMEMSET(x, 0, sizeof *x); - } if (mp_init_multi(x, y, z, 0, 0, 0) != MP_OKAY) { #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC) XFREE(z, key->heap, DYNAMIC_TYPE_DH); @@ -2184,6 +2145,14 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz, #endif return MP_INIT_E; } +#if defined(WOLFSSL_SP_MATH_ALL) + if (ct) { + /* TFM and Integer implementations keep high words zero. + * SP math implementation needs all words set to zero as it doesn't + * ensure unused words are zero. */ + mp_forcezero(x); + } +#endif SAVE_VECTOR_REGISTERS(ret = _svr_ret;); @@ -2198,12 +2167,24 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz, ret = MP_READ_E; if (ret == 0) { - if (ct) - ret = mp_exptmod_ex(y, x, - ((int)*agreeSz + DIGIT_BIT - 1) / DIGIT_BIT, + if (ct) { + int bits; + + /* x is mod q but if q not available, use p (> q). */ + if (mp_iszero(&key->q) == MP_NO) { + bits = mp_count_bits(&key->q); + } + else { + bits = mp_count_bits(&key->p); + } + /* Exponentiate to the maximum words of a valid x to ensure a + * constant time operation. */ + ret = mp_exptmod_ex(y, x, (bits + DIGIT_BIT - 1) / DIGIT_BIT, &key->p, z); - else + } + else { ret = mp_exptmod(y, x, &key->p, z); + } if (ret != MP_OKAY) ret = MP_EXPTMOD_E; } @@ -2219,6 +2200,7 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz, if (ret == 0) { if (ct) { + /* Put the secret into a buffer in constant time. */ ret = mp_to_unsigned_bin_len_ct(z, agree, (int)*agreeSz); } else { @@ -2316,7 +2298,8 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv, #else #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH) if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_DH) { - ret = wc_DhAgree_Async(key, agree, agreeSz, priv, privSz, otherPub, pubSz); + ret = wc_DhAgree_Async(key, agree, agreeSz, priv, privSz, otherPub, + pubSz); } else #endif @@ -2332,56 +2315,21 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv, int wc_DhAgree_ct(DhKey* key, byte* agree, word32 *agreeSz, const byte* priv, word32 privSz, const byte* otherPub, word32 pubSz) { - int ret; word32 requested_agreeSz; -#ifndef WOLFSSL_NO_MALLOC - byte *agree_buffer = NULL; -#else - byte agree_buffer[DH_MAX_SIZE / 8]; -#endif if (key == NULL || agree == NULL || agreeSz == NULL || priv == NULL || otherPub == NULL) { return BAD_FUNC_ARG; } - requested_agreeSz = *agreeSz; - -#ifndef WOLFSSL_NO_MALLOC - agree_buffer = (byte *)XMALLOC(requested_agreeSz, key->heap, - DYNAMIC_TYPE_DH); - if (agree_buffer == NULL) - return MEMORY_E; -#endif - - XMEMSET(agree_buffer, 0, requested_agreeSz); - - ret = wc_DhAgree_Sync(key, agree_buffer, agreeSz, priv, privSz, otherPub, - pubSz, 1); - - if (ret == 0) { - /* Arrange for correct fixed-length, right-justified key, even if the - * crypto back end doesn't support it. This assures that the key is - * unconditionally agreed correctly. With some crypto back ends, - * e.g. heapmath, there are no provisions for actual constant time, but - * with others the key computation and clamping is constant time, and - * the unclamping here is also constant time. - */ - byte *agree_src = agree_buffer + *agreeSz - 1, - *agree_dst = agree + requested_agreeSz - 1; - while (agree_dst >= agree) { - word32 mask = (agree_src >= agree_buffer) - 1U; - agree_src += (mask & requested_agreeSz); - *agree_dst-- = *agree_src--; - } - *agreeSz = requested_agreeSz; + requested_agreeSz = (word32)mp_unsigned_bin_size(&key->p); + if (requested_agreeSz > *agreeSz) { + return BUFFER_E; } + *agreeSz = requested_agreeSz; -#ifndef WOLFSSL_NO_MALLOC - XFREE(agree_buffer, key->heap, DYNAMIC_TYPE_DH); -#endif - - return ret; + return wc_DhAgree_Sync(key, agree, agreeSz, priv, privSz, otherPub, pubSz, + 1); } #ifdef WOLFSSL_DH_EXTRA diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index 454adf6a0..e03d2ea39 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -5241,7 +5241,7 @@ int sp_grow(sp_int* a, int l) #endif /* (!NO_RSA && !WOLFSSL_RSA_VERIFY_ONLY) || !NO_DH || HAVE_ECC */ #if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \ - defined(HAVE_ECC) + defined(HAVE_ECC) || defined(WOLFSSL_PUBLIC_MP) /* Set the multi-precision number to zero. * * @param [out] a SP integer to set to zero. @@ -5826,7 +5826,7 @@ int sp_cmp_ct(const sp_int* a, const sp_int* b, unsigned int n) #if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \ ((defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_SM2)) && \ - defined(HAVE_ECC)) || defined(OPENSSL_EXTRA) + defined(HAVE_ECC)) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_PUBLIC_MP) /* Check if a bit is set * * When a is NULL, result is 0. diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index 5bd732860..063d15e20 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -4198,6 +4198,58 @@ int fp_to_unsigned_bin(fp_int *a, unsigned char *b) return FP_OKAY; } +int fp_to_unsigned_bin_len_ct(fp_int *a, unsigned char *out, int outSz) +{ + int err = MP_OKAY; + + /* Validate parameters. */ + if ((a == NULL) || (out == NULL) || (outSz < 0)) { + err = MP_VAL; + } + +#if DIGIT_BIT > 8 + if (err == MP_OKAY) { + /* Start at the end of the buffer - least significant byte. */ + int j; + unsigned int i; + fp_digit mask = (fp_digit)-1; + fp_digit d; + + /* Put each digit in. */ + i = 0; + for (j = outSz - 1; j >= 0; ) { + unsigned int b; + d = a->dp[i]; + /* Place each byte of a digit into the buffer. */ + for (b = 0; (j >= 0) && (b < (DIGIT_BIT / 8)); b++) { + out[j--] = (byte)(d & mask); + d >>= 8; + } + mask &= (fp_digit)0 - (i < (unsigned int)a->used - 1); + i += (unsigned int)(1 & mask); + } + } +#else + if ((err == MP_OKAY) && ((unsigned int)outSz < a->used)) { + err = MP_VAL; + } + if (err == MP_OKAY) { + unsigned int i; + int j; + fp_digit mask = (fp_digit)-1; + + i = 0; + for (j = outSz - 1; j >= 0; j--) { + out[j] = a->dp[i] & mask; + mask &= (fp_digit)0 - (i < (unsigned int)a->used - 1); + i += (unsigned int)(1 & mask); + } + } +#endif + + return err; +} + int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c) { #if DIGIT_BIT == 64 || DIGIT_BIT == 32 || DIGIT_BIT == 16 @@ -4823,6 +4875,11 @@ int mp_to_unsigned_bin (mp_int * a, unsigned char *b) return fp_to_unsigned_bin(a,b); } +int mp_to_unsigned_bin_len_ct(mp_int * a, unsigned char *b, int c) +{ + return fp_to_unsigned_bin_len_ct(a, b, c); +} + int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c) { return fp_to_unsigned_bin_len(a, b, c); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 002096167..f141b38df 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -801,7 +801,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t memory_test(void); defined(USE_FAST_MATH)) WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void); #endif -#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN) +#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN) && \ + (!defined(NO_DH) || !defined(NO_DSA)) && !defined(WC_NO_RNG) WOLFSSL_TEST_SUBROUTINE wc_test_ret_t prime_test(void); #endif #if defined(ASN_BER_TO_DER) && \ @@ -2481,7 +2482,8 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\ TEST_PASS("mp test passed!\n"); #endif -#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN) +#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN) && \ + (!defined(NO_DH) || !defined(NO_DSA)) && !defined(WC_NO_RNG) if ( (ret = prime_test()) != 0) TEST_FAIL("prime test failed!\n", ret); else @@ -23690,37 +23692,6 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t dh_test(void) ERROR_OUT(WC_TEST_RET_ENC_NC, done); } -#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \ - !defined(HAVE_SELFTEST) - agreeSz = DH_TEST_BUF_SIZE; - agreeSz2 = DH_TEST_BUF_SIZE; - - ret = wc_DhAgree_ct(key, agree, &agreeSz, priv, privSz, pub2, pubSz2); - if (ret != 0) - ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done); - - ret = wc_DhAgree_ct(key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz); - if (ret != 0) - ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done); - -#ifdef WOLFSSL_PUBLIC_MP - if (agreeSz != (word32)mp_unsigned_bin_size(&key->p)) - { - ERROR_OUT(WC_TEST_RET_ENC_NC, done); - } -#endif - - if (agreeSz != agreeSz2) - { - ERROR_OUT(WC_TEST_RET_ENC_NC, done); - } - - if (XMEMCMP(agree, agree2, agreeSz) != 0) - { - ERROR_OUT(WC_TEST_RET_ENC_NC, done); - } -#endif /* (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) && !HAVE_SELFTEST */ - #endif /* !WC_NO_RNG */ #if defined(WOLFSSL_KEY_GEN) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) @@ -23743,6 +23714,34 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t dh_test(void) } #endif +#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \ + !defined(HAVE_SELFTEST) + agreeSz = DH_TEST_BUF_SIZE; + agreeSz2 = DH_TEST_BUF_SIZE; + + ret = wc_DhAgree_ct(key, agree, &agreeSz, priv, privSz, pub2, pubSz2); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done); + + ret = wc_DhAgree_ct(key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz); + if (ret != 0) + ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done); + +#ifdef WOLFSSL_PUBLIC_MP + if (agreeSz != (word32)mp_unsigned_bin_size(&key->p)) { + ERROR_OUT(WC_TEST_RET_ENC_NC, done); + } +#endif + + if (agreeSz != agreeSz2) { + ERROR_OUT(WC_TEST_RET_ENC_NC, done); + } + + if (XMEMCMP(agree, agree2, agreeSz) != 0) { + ERROR_OUT(WC_TEST_RET_ENC_NC, done); + } +#endif /* (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) && !HAVE_SELFTEST */ + /* Test DH key import / export */ #if defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) && \ (!defined(HAVE_FIPS) || \ @@ -55539,9 +55538,9 @@ static wc_test_ret_t mp_test_div_3(mp_int* a, mp_int* r, WC_RNG* rng) #endif /* WOLFSSL_SP_MATH || !USE_FAST_MATH */ #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \ - !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \ + !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \ (!defined WOLFSSL_SP_MATH && !defined(WOLFSSL_SP_MATH_ALL) && \ - (defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY))) + (defined(OPENSSL_EXTRA) || !defined(NO_DSA) || defined(HAVE_ECC))) static wc_test_ret_t mp_test_radix_10(mp_int* a, mp_int* r, WC_RNG* rng) { wc_test_ret_t ret; @@ -55754,6 +55753,8 @@ static wc_test_ret_t mp_test_shift(mp_int* a, mp_int* r1, WC_RNG* rng) return 0; } +#if !(defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) || \ + (defined(WOLFSSL_SP_ADD_D) && defined(WOLFSSL_SP_SUB_D)) static wc_test_ret_t mp_test_add_sub_d(mp_int* a, mp_int* r1) { int i, j; @@ -55793,6 +55794,7 @@ static wc_test_ret_t mp_test_add_sub_d(mp_int* a, mp_int* r1) return 0; } +#endif static wc_test_ret_t mp_test_read_to_bin(mp_int* a) { @@ -55921,7 +55923,8 @@ static wc_test_ret_t mp_test_param(mp_int* a, mp_int* b, mp_int* r, WC_RNG* rng) mp_free(NULL); -#if !defined(WOLFSSL_RSA_VERIFY_ONLY) || !defined(NO_DH) || defined(HAVE_ECC) +#if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \ + !defined(NO_DH) || defined(HAVE_ECC) ret = mp_grow(NULL, 1); if (ret != WC_NO_ERR_TRACE(MP_VAL)) return WC_TEST_RET_ENC_EC(ret); @@ -56101,8 +56104,8 @@ static wc_test_ret_t mp_test_param(mp_int* a, mp_int* b, mp_int* r, WC_RNG* rng) mp_zero(NULL); -#if !defined(NO_DH) || defined(HAVE_ECC) || defined(WC_RSA_BLINDING) || \ - !defined(WOLFSSL_RSA_PUBLIC_ONLY) +#if !defined(NO_DH) || defined(HAVE_ECC) || (!defined(NO_RSA) && \ + (defined(WC_RSA_BLINDING) || !defined(WOLFSSL_RSA_PUBLIC_ONLY))) ret = mp_lshd(NULL, 0); if (ret != WC_NO_ERR_TRACE(MP_VAL)) return WC_TEST_RET_ENC_EC(ret); @@ -58009,8 +58012,8 @@ static wc_test_ret_t mp_test_exptmod(mp_int* b, mp_int* e, mp_int* m, mp_int* r) #endif /* !NO_RSA || !NO_DSA || !NO_DH || (HAVE_ECC && HAVE_COMP_KEY) || * OPENSSL_EXTRA */ -#if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \ - defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) +#if defined(HAVE_ECC) || \ + (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) static wc_test_ret_t mp_test_mont(mp_int* a, mp_int* m, mp_int* n, mp_int* r, WC_RNG* rng) { wc_test_ret_t ret; @@ -58259,6 +58262,9 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void) #endif #endif + #if !(defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) || \ + (defined(WOLFSSL_SP_ADD_D) && defined(WOLFSSL_SP_SUB_D) && \ + defined(WOLFSSL_SP_INVMOD)) /* Ensure add digit produce same result as sub digit. */ ret = mp_add_d(a, d, r1); if (ret != 0) @@ -58275,6 +58281,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void) ret = mp_invmod(a, p, r1); if (ret != 0 && ret != WC_NO_ERR_TRACE(MP_VAL)) ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done); + #endif #ifndef WOLFSSL_SP_MATH /* Shift up and down number all bits in a digit. */ @@ -58293,6 +58300,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void) } } +#if !(defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) || \ + (defined(WOLFSSL_SP_ADD_D) && defined(WOLFSSL_SP_SUB_D)) /* Test adding and subtracting zero from zero. */ mp_zero(a); ret = mp_add_d(a, 0, r1); @@ -58307,6 +58316,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void) if (!mp_iszero(r2)) { ERROR_OUT(WC_TEST_RET_ENC_NC, done); } +#endif #if DIGIT_BIT >= 32 /* Check that setting a 32-bit digit works. */ @@ -58357,9 +58367,9 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void) goto done; #endif #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \ - !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \ + !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \ (!defined WOLFSSL_SP_MATH && !defined(WOLFSSL_SP_MATH_ALL) && \ - (defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY))) + (defined(OPENSSL_EXTRA) || !defined(NO_DSA) || defined(HAVE_ECC))) if ((ret = mp_test_radix_10(a, r1, &rng)) != 0) goto done; #endif @@ -58371,8 +58381,11 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void) if ((ret = mp_test_shift(a, r1, &rng)) != 0) goto done; +#if !(defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) || \ + (defined(WOLFSSL_SP_ADD_D) && defined(WOLFSSL_SP_SUB_D)) if ((ret = mp_test_add_sub_d(a, r1)) != 0) goto done; +#endif if ((ret = mp_test_read_to_bin(a)) != 0) goto done; #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL) @@ -58427,8 +58440,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void) if ((ret = mp_test_exptmod(a, b, r1, r2)) != 0) goto done; #endif -#if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \ - defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) +#if defined(HAVE_ECC) || \ + (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) if ((ret = mp_test_mont(a, b, r1, r2, &rng)) != 0) goto done; #endif @@ -58482,6 +58495,7 @@ typedef struct pairs_t { } pairs_t; +#if (!defined(NO_DH) || !defined(NO_DSA)) && !defined(WC_NO_RNG) /* n =p1p2p3, where pi = ki(p1-1)+1 with (k2,k3) = (173,293) p1 = 2^192 * 0x000000000000e24fd4f6d6363200bf2323ec46285cac1d3a @@ -58796,6 +58810,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t prime_test(void) return ret; } +#endif #endif /* WOLFSSL_PUBLIC_MP */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 3cb726905..ebca35213 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2901,7 +2901,7 @@ extern void uITRON4_free(void *p) ; /* Determine when mp_read_radix with a radix of 10 is required. */ #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \ !defined(WOLFSSL_RSA_VERIFY_ONLY)) || defined(HAVE_ECC) || \ - !defined(NO_DSA) || defined(OPENSSL_EXTRA) + !defined(NO_DSA) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_PUBLIC_MP) #define WOLFSSL_SP_READ_RADIX_16 #endif @@ -2914,7 +2914,7 @@ extern void uITRON4_free(void *p) ; /* Determine when mp_invmod is required. */ #if defined(HAVE_ECC) || !defined(NO_DSA) || defined(OPENSSL_EXTRA) || \ (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY) && \ - !defined(WOLFSSL_RSA_PUBLIC_ONLY)) + !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(OPENSSL_EXTRA) #define WOLFSSL_SP_INVMOD #endif diff --git a/wolfssl/wolfcrypt/tfm.h b/wolfssl/wolfcrypt/tfm.h index 718077cd5..ffec06db1 100644 --- a/wolfssl/wolfcrypt/tfm.h +++ b/wolfssl/wolfcrypt/tfm.h @@ -725,6 +725,7 @@ int fp_leading_bit(fp_int *a); int fp_unsigned_bin_size(const fp_int *a); int fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c); int fp_to_unsigned_bin(fp_int *a, unsigned char *b); +int fp_to_unsigned_bin_len_ct(fp_int *a, unsigned char *b, int c); int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c); int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b); @@ -847,7 +848,7 @@ MP_API int mp_unsigned_bin_size(const mp_int * a); MP_API int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c); MP_API int mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b); MP_API int mp_to_unsigned_bin (mp_int * a, unsigned char *b); -#define mp_to_unsigned_bin_len_ct mp_to_unsigned_bin_len +MP_API int mp_to_unsigned_bin_len_ct(mp_int * a, unsigned char *b, int c); MP_API int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c); MP_API int mp_sub_d(fp_int *a, fp_digit b, fp_int *c);